>> On 13:28 23 Feb 2002, Rupendra Singh <[EMAIL PROTECTED]> wrote: | thanks that solved the problem >> | permissions were: >> | -rwx------ 1 root root 46224 Aug 28 13:16 >> >> Good. >> >> | but how did it happen i never entered the /lib dirctory as >> root >> >> A mystery. But this is what you must find out so that you can >> prevent it happening again. >> >> | bye the way i am running squirrelmail as webmail and i have >> observed | that some of my squirrelmail users became owners of >> some randomly | choosen files in /bin and /usr/bin. i cannot >> doubt these users and | they do not have shell access. >> >> I would guess some bug or hole in the webmail side of things. >> Such an app often runs with root privileges for at least part of its operation > >> (in order to become whichever user is access the >> email) >> and as such has the power to do arbitrary things anywhere on the system by accident if badly coded. >> >> Which files were getting changed? > > ls > df > free > netstat > ifconfig
Mike Pelley wrote: > Boy. I'm willing to be that there might be some hacking going > around... > > Mike > permissions on these files were 700 but the users(2 of them) owning these files could not be doubted (but i dont want to take chances). but now i am begenning to doubt because: "logwatch" mails to root are empty with only starting and ending lines. secure log is empty: -rw------- 1 root root 0 Feb 24 04:02 maillog -rw------- 1 root root 1046 Feb 19 04:46 maillog.1 -rw------- 1 root root 2515 Feb 16 18:56 maillog.2 -rw------- 1 root root 0 Feb 24 04:02 secure -rw------- 1 root root 75603 Feb 19 13:30 secure.1 -rw------- 1 root root 185674 Feb 16 19:59 secure.2 "tail secure.1" "tail maillog.1" shows last access took place on 19 of Feb. is it just log-rotation. or i should start taking backups. am i being hacked really. _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
